16936e330545fd176549d12ce98d8a0ccb4e24617ad0728c7a2946a7df5d4e19

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cc259d4fb7677bb0eb59437b7b8e15f.exe
Size

548KB
MD5

5cc259d4fb7677bb0eb59437b7b8e15f
SHA1

4f29abdbba5e212883ffba989f3cc024eee77ac9
SHA256

16936e330545fd176549d12ce98d8a0ccb4e24617ad0728c7a2946a7df5d4e19
SHA512

d2e7fb0c37e94897171b9e105bfb2ed8d960adb4618a66412dc0f36e25f1a71638007e8b5b3533b283d148d2b692bd9837e37240d70c3f561b9a6b8bbbd53807
SSDEEP

12288:D9CaEZZ2TusjEi3fLuSv1UFEyt652c5phCX8xvNkmw1cBYV0azPV+:DUsusl3ThvuSX2AhCs5Nbw1cCV0azQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2788	ecfcabfbcicdg.exe

Loads dropped DLL 10 IoCs

pid	Process
2916	5cc259d4fb7677bb0eb59437b7b8e15f.exe
2916	5cc259d4fb7677bb0eb59437b7b8e15f.exe
2916	5cc259d4fb7677bb0eb59437b7b8e15f.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe
2908	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	2788	WerFault.exe	28

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe
Token: SeSystemProfilePrivilege	2720	wmic.exe
Token: SeSystemtimePrivilege	2720	wmic.exe
Token: SeProfSingleProcessPrivilege	2720	wmic.exe
Token: SeIncBasePriorityPrivilege	2720	wmic.exe
Token: SeCreatePagefilePrivilege	2720	wmic.exe
Token: SeBackupPrivilege	2720	wmic.exe
Token: SeRestorePrivilege	2720	wmic.exe
Token: SeShutdownPrivilege	2720	wmic.exe
Token: SeDebugPrivilege	2720	wmic.exe
Token: SeSystemEnvironmentPrivilege	2720	wmic.exe
Token: SeRemoteShutdownPrivilege	2720	wmic.exe
Token: SeUndockPrivilege	2720	wmic.exe
Token: SeManageVolumePrivilege	2720	wmic.exe
Token: 33	2720	wmic.exe
Token: 34	2720	wmic.exe
Token: 35	2720	wmic.exe
Token: SeIncreaseQuotaPrivilege	2720	wmic.exe
Token: SeSecurityPrivilege	2720	wmic.exe
Token: SeTakeOwnershipPrivilege	2720	wmic.exe
Token: SeLoadDriverPrivilege	2720	wmic.exe
Token: SeSystemProfilePrivilege	2720	wmic.exe
Token: SeSystemtimePrivilege	2720	wmic.exe
Token: SeProfSingleProcessPrivilege	2720	wmic.exe
Token: SeIncBasePriorityPrivilege	2720	wmic.exe
Token: SeCreatePagefilePrivilege	2720	wmic.exe
Token: SeBackupPrivilege	2720	wmic.exe
Token: SeRestorePrivilege	2720	wmic.exe
Token: SeShutdownPrivilege	2720	wmic.exe
Token: SeDebugPrivilege	2720	wmic.exe
Token: SeSystemEnvironmentPrivilege	2720	wmic.exe
Token: SeRemoteShutdownPrivilege	2720	wmic.exe
Token: SeUndockPrivilege	2720	wmic.exe
Token: SeManageVolumePrivilege	2720	wmic.exe
Token: 33	2720	wmic.exe
Token: 34	2720	wmic.exe
Token: 35	2720	wmic.exe
Token: SeIncreaseQuotaPrivilege	2280	wmic.exe
Token: SeSecurityPrivilege	2280	wmic.exe
Token: SeTakeOwnershipPrivilege	2280	wmic.exe
Token: SeLoadDriverPrivilege	2280	wmic.exe
Token: SeSystemProfilePrivilege	2280	wmic.exe
Token: SeSystemtimePrivilege	2280	wmic.exe
Token: SeProfSingleProcessPrivilege	2280	wmic.exe
Token: SeIncBasePriorityPrivilege	2280	wmic.exe
Token: SeCreatePagefilePrivilege	2280	wmic.exe
Token: SeBackupPrivilege	2280	wmic.exe
Token: SeRestorePrivilege	2280	wmic.exe
Token: SeShutdownPrivilege	2280	wmic.exe
Token: SeDebugPrivilege	2280	wmic.exe
Token: SeSystemEnvironmentPrivilege	2280	wmic.exe
Token: SeRemoteShutdownPrivilege	2280	wmic.exe
Token: SeUndockPrivilege	2280	wmic.exe
Token: SeManageVolumePrivilege	2280	wmic.exe
Token: 33	2280	wmic.exe
Token: 34	2280	wmic.exe
Token: 35	2280	wmic.exe
Token: SeIncreaseQuotaPrivilege	2280	wmic.exe
Token: SeSecurityPrivilege	2280	wmic.exe
Token: SeTakeOwnershipPrivilege	2280	wmic.exe
Token: SeLoadDriverPrivilege	2280	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2788	2916	5cc259d4fb7677bb0eb59437b7b8e15f.exe	28
PID 2916 wrote to memory of 2788	2916	5cc259d4fb7677bb0eb59437b7b8e15f.exe	28
PID 2916 wrote to memory of 2788	2916	5cc259d4fb7677bb0eb59437b7b8e15f.exe	28
PID 2916 wrote to memory of 2788	2916	5cc259d4fb7677bb0eb59437b7b8e15f.exe	28
PID 2788 wrote to memory of 2720	2788	ecfcabfbcicdg.exe	29
PID 2788 wrote to memory of 2720	2788	ecfcabfbcicdg.exe	29
PID 2788 wrote to memory of 2720	2788	ecfcabfbcicdg.exe	29
PID 2788 wrote to memory of 2720	2788	ecfcabfbcicdg.exe	29
PID 2788 wrote to memory of 2280	2788	ecfcabfbcicdg.exe	33
PID 2788 wrote to memory of 2280	2788	ecfcabfbcicdg.exe	33
PID 2788 wrote to memory of 2280	2788	ecfcabfbcicdg.exe	33
PID 2788 wrote to memory of 2280	2788	ecfcabfbcicdg.exe	33
PID 2788 wrote to memory of 2656	2788	ecfcabfbcicdg.exe	34
PID 2788 wrote to memory of 2656	2788	ecfcabfbcicdg.exe	34
PID 2788 wrote to memory of 2656	2788	ecfcabfbcicdg.exe	34
PID 2788 wrote to memory of 2656	2788	ecfcabfbcicdg.exe	34
PID 2788 wrote to memory of 2484	2788	ecfcabfbcicdg.exe	36
PID 2788 wrote to memory of 2484	2788	ecfcabfbcicdg.exe	36
PID 2788 wrote to memory of 2484	2788	ecfcabfbcicdg.exe	36
PID 2788 wrote to memory of 2484	2788	ecfcabfbcicdg.exe	36
PID 2788 wrote to memory of 1964	2788	ecfcabfbcicdg.exe	39
PID 2788 wrote to memory of 1964	2788	ecfcabfbcicdg.exe	39
PID 2788 wrote to memory of 1964	2788	ecfcabfbcicdg.exe	39
PID 2788 wrote to memory of 1964	2788	ecfcabfbcicdg.exe	39
PID 2788 wrote to memory of 2908	2788	ecfcabfbcicdg.exe	40
PID 2788 wrote to memory of 2908	2788	ecfcabfbcicdg.exe	40
PID 2788 wrote to memory of 2908	2788	ecfcabfbcicdg.exe	40
PID 2788 wrote to memory of 2908	2788	ecfcabfbcicdg.exe	40

C:\Users\Admin\AppData\Local\Temp\5cc259d4fb7677bb0eb59437b7b8e15f.exe
"C:\Users\Admin\AppData\Local\Temp\5cc259d4fb7677bb0eb59437b7b8e15f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe
  C:\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe 2#2#2#0#6#1#1#1#3#9#4 LU5HRDcyMS8tFytRU0BQQ0M8Lx0mSkNSVU9MSkhDOiccLUJHU05IQzwuMDM1Hi1DQ0M8Lx0mTFBNQlU9U15IQTQtNDcyIClSRFFTPE5dU1BMN2dzc20xKy1xcHYoQ0RSSCRQTU4rQUpPLUhLPUseLUFMQ0JKSEE0HC1CLz0nMB8uQSk5Ky8eLz4yPCwuFytCMjstKx8uQzI0KS8eLVBMTkNUQEtbTlBHVjtCWDwdJkxQTUJVPVNeRFJDPTseLVBMTkNUQEtbTD9LRTcfLkRVPFtTUEo9Gi5EV0JWP0tCSklIRDwfLD9LUVJdQkxOVlJCSTkuHi1UQkBNSlZGUV1TUEw3Hy5VSjQuHi1CUys8Hy5PTEpSR0tFWVZES0BGSUNHS0FBRFRRSTQcLUdRX0xUTVNGREE7cnB1Xx8uUUJLUVBMR05BXlRSQklbQj9XUzcxHy5FQEBDVjsxGi5IUlw7VUw/S0k9XkRNQElVTlJDRDdlYGtwXBwtQk1XSEtOQEFWRU47NzUoMTQtLyg0LDEeL05ITEQ6KDAwNzczLTA4NR0mQE1VTExJQENeUUBJQzsyLyw0LjEtKDEoMTgzMzk0NSc4SR4tU0E3TG55ZmNoXyMwZi4tLyolWmtrbl90Y2FrZCIqXilLUUk/KjUtLRwvYClVaWhjbnZwIkpSKTMuKyQyYShKUi8jMWIlLU1EUSI/SlApMigvLTQtLi41Jx4vT1FLPGVrcG4jMWEfMWUkL11jY3IsMCsxMGUrYGpkbSMyYFF0bVFgaWNCbXdoa25gYURdbF9lZWxeY2RtY2t3IzBmKzMxODYpMzIwMSUsZTAzLzA1MDUyMi0kMWUuKy43NzA3LjEyJDBdLDQwMDkqLzY4LytWLzd3Tj1mJDFjWkBXb0tDcXZIRkYuR0JpMU08MHBOUTxzTHhHZFxpL29FTkJtX1QxalkwcjZBaC5tTXlld0hGRm5KQS52SCtyd05QJ25IRUdySlIvcEVORXZOUWNwSUUwbVlCM2pWMmZrTS9xYVMwamZTUU1lY1RNb0p4P2xHaDByVT9GdmFBQmhYVllyR09xYmNHUHZNeT4=
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513925.txt bios get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513925.txt bios get version
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2280
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513925.txt bios get version
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513925.txt bios get version
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic /output:C:\Users\Admin\AppData\Local\Temp\81704513925.txt bios get version
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 372
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81704513925.txt

Filesize
66B

MD5
9025468f85256136f923096b01375964

SHA1
7fcd174999661594fa5f88890ffb195e9858cc52

SHA256
d5418014fa8e6e17d8992fd12c0dfecac8a34855603ea58133e87ea09c2130df

SHA512
92cac37c332e6e276a963d659986a79a79867df44682bfc2d77ed7784ffa5e2c149e5960a83d03ef4cf171be40a73e93a110aaa53b95152fa9a9da6b41d31e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704513925.txt

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\81704513925.txt

Filesize
58B

MD5
dd876faf0fd44a5fab3e82368e2e8b15

SHA1
01b04083fa278dda3a81705ca5abcfee487a3c90

SHA256
5602490a82bcacec8797d25cbb6f643fc9e69f89a2f0e6ec1e8d1f568e77a6b9

SHA512
e03d1def5b7fb0ed01a414cead199229ec0e153ff831d3ff5dd36c320572084c56a5e1369c753f868c855455758c0d308941b6187c348051419bd937d014cb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe

Filesize
271KB

MD5
951cbcdf9f8d2203b9ca961578c810f1

SHA1
c4705a430eb35b28a64a1066c1fbdf04accd4380

SHA256
52bc591a13b9b3dbd406351b382bf775f7636c2d0f3d8f60fa0bdc6a7951378b

SHA512
b608109d0c453cc99e2f300359b0495662539ff2f55d55fae3c7359205112d6fbeafc321051da6c752d97708d36a33bba505b7ee2a7c4c07fb902921c907c9cf

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe

Filesize
261KB

MD5
f8f7064692962c8a9a354282fc36da7a

SHA1
901f47c57feecd45dad87bedd6b9fbd254b9667b

SHA256
d2d69e0208daebed971285741ef2bf6e3a39692d63310f176224bb6c865fc9c1

SHA512
699891ec7f9e76a34ca3cdcd05702e0279c9040520a2f810654a7762ced0e720d6f5e4a670fb0e4e58bc2bec5b97c741bf00bae2ed36ea95e311f28bce173c71

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe

Filesize
626KB

MD5
22392b1e7a7bb54308c42c40a77b6415

SHA1
33e4bdfc441d38812bb79a0d05b4ee580575c34f

SHA256
c877b655188921e47e3a21af70ef54816ac3331223e1031a000551e445648e43

SHA512
3be03540342bcd726915b078b9d4611aab8dc9b58d416e83f4dde34dbf6ef92b250fbf3740f875291b1d06c8802c9a748bd0dbf62e1dd32ec5abb64fdfb7d958

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe

Filesize
113KB

MD5
88713e9a06aeb1dacc0518fda495088b

SHA1
a5d9e5ab512e34f2878f8fe57ed61fdc3a470046

SHA256
e80d968f19acab7d2ff16e5d3cf59ce333064c4ec1408276d6e436e9b6bf5b5a

SHA512
5c98bd91c0133604e42ff2218d0e717aec1e940a904fc14074d3ebdedf5fe8fb1878f48f5c28f59ec7d62d9e946c059526c8353d3031c65d83eab7f5706b7bdb

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe

Filesize
764KB

MD5
56e6f7c16992d8b2f5912ba01bfe93ee

SHA1
c2c33e2445618d79aa4920acb862d533c5a153cf

SHA256
5a930fb5a147e14030be8ea9e869b61b236ae100559a7825637f6512c0386463

SHA512
8dbce6daa39070549110e426f9a5f879a25c2764787931f812ad6501b45e93d8fc9d20e183e10364f29ad73c59cfd01fd9bb8acbd69d23c59b736cd40deececa

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe

Filesize
50KB

MD5
fd0feae11e5a63c7b93a565117caf6dc

SHA1
e5c9e41470d64f27eaff8f4de491018b4e3a878f

SHA256
600b5590dd002a1473bf2e64d1f0e078e8c468b03a7ec07370a5db4dce8a590d

SHA512
22bb828be4a940e6a5397944c68c87a1803d9b9218f3286fdede26507932305466575991fe27429084edf6f0a87436160d882ebfedb679479b07db8d3a632f89

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe

Filesize
236KB

MD5
5cc8928ae8189873f038628a2c480fc3

SHA1
7ff734fc92dcce160c9a249be8538c3f1e31d932

SHA256
d38b1b7e7d3f6d28322310fb15ab144451dd34207986d7fa064b5c4a256f6d84

SHA512
97c5b8f03a46e40adba557a49c36d2ebe57261a0a74587e600960f7e567f55a57f967e5988957daa6b8a7124d2be9baf977b5e38b1c03a9a8deade4c78fd1b0b

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe

Filesize
398KB

MD5
687223474deed39cc4903628c60917ea

SHA1
0b30cc85bbcd08b714eb7cffec51611ebd08a745

SHA256
51c0ba5f20af386f116b58e9a5f9572d89bb6ecbcaf13c09479d7df2a1edce3c

SHA512
20ed60b2b57fd55b7cda5f070f9eedf69285009eea2d12716ff3a2b29466d56e5af4daf284168d6b8a9ae57825ec5b7ca87039f0c209ff9f88c4e1661e2a268f

Download Submit
\Users\Admin\AppData\Local\Temp\ecfcabfbcicdg.exe

Filesize
45KB

MD5
1a2bfb1a230cf1df2413a81e2c7ac8cd

SHA1
bf6a9de9c4ec2d761ea10b2d9fae003187c688f9

SHA256
cfcdd234622f32143a0878eac34afe7ebef089b20e3340376f4b8991e6fdac3f

SHA512
5f5cad6cc2808bb5710b9fc432f488bc8abfec0298c1ed854a2f4bc6ebb5c2db0c5866563fb2a33d8f58ebe621560c60b85a851f8520c450f3115c9843101c7a

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F3A.tmp\hyulanvh.dll

Filesize
107KB

MD5
9080b78b9a4590a6e43e41468a387819

SHA1
d79b2cfec3736bf6d58f627aeaad43ad75d9e142

SHA256
7c82ae5664963f23bd03b09fbcc5978295f482357f4c0c9f9af09828e7fab67c

SHA512
6f6ac05e8bda7936d9eeba49200041fd70a6b26964dc2f598fc1cc6680217b32eedd3652a9015713c182d660ae838b1f410644c56edac642649f6d03d2eb834b

Download Submit
\Users\Admin\AppData\Local\Temp\nst4F3A.tmp\nsisunz.dll

Filesize
40KB

MD5
5f13dbc378792f23e598079fc1e4422b

SHA1
5813c05802f15930aa860b8363af2b58426c8adf

SHA256
6e87ecb7f62039fbb6e7676422d1a5e75a32b90dde6865dcb68ee658ba8df61d

SHA512
9270635a5294482f49e0292e26d45dd103b85fe27dc163d44531b095c5f9dbde6b904adaf1a888ba3c112a094380394713c796f5195b2566a20f00b42b6578e5

Download Submit